SHIELD Act to protect New Yorkers from data breaches

New York Attorney General Eric T. Schneiderman introduced new legislation to comprehensively protect New Yorkers’ personal information from a growing number of data breaches. In the wake of the Equifax breach, the Stop Hacks and Improve Electronic Data Security Act would close major gaps in New York’s data security laws, without putting an undue burden on businesses.

In 2016 alone, the AG’s office received a record 1,300 data breach notifications, representing a 60 percent increase over the previous year. In September, it was announced that Equifax Inc – one of the nation’s three major credit reporting agencies – experienced a massive breach that impacted more than 8 million New Yorkers. Schneiderman launched a formal investigation into the breach and has successfully pressed the company to address a number of issues.

Under current law, companies can compile troves of sensitive data about individual New Yorkers – but they are not obligated to meet any data security requirements if the personally identifying information in their possession does not include a social security number. In fact, current law does not even require companies to report data breaches of username and-password combinations, or biometric data like the fingerprint used to unlock an iPhone.

Under the SHIELD Act, companies would have a legal responsibility to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data; the standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not.

The SHIELD Act also expands the types of data that trigger reporting requirements, to include username and-password combinations, biometric data, and HIPAA-covered health data. The bill also provides companies with a strong incentive to go beyond the bare minimum, and obtain independent certification that their data security measures meet the highest standards. Companies that do so would receive safe harbor from state enforcement action.